Wednesday, November 11, 2009

Historically, security management in hotels could be characterized as fragmented, uncoordinated and reactive. It was certainly not seen as central to the success of the business. Given the largely static security environment of hotels in the past, this approach was, however, probably effective enough in mitigating the security risks that confronted international hotel brands. As hotels themselves shifted from being largely individually owned to the international brands that currently populate business travellers’ lodging options, sets of brand standards emerged that attempted to guarantee a consistently good hotel experience for frequent travellers across the brand. In most cases, however, the move to brand consistency had little impact on security management, which had tended to become somewhat detached from developments elsewhere in the hotel sector and had become something of an organizational anachronism (even if still reasonably effective in responding to routine security issues). At the same time, the risk environment in which hotels operated was changing. Developments in the political, economic, social, technological and legal spheres were presenting new challenges as well as opportunities for hotel security risk management. The most salient element of this shift was the emergence of international terrorism, and this was made abundantly clear when al Qaeda in Iraq carried out simultaneous suicide attacks against three international hotels in Amman in November 2005. This was not, however, the only element in the security spectrum that had changed. The end of the Cold War had shifted the global security paradigm in other areas that now affected hotel risk management, such as identity theft and money laundering. National catastrophes such as the Asian tsunami and Hurricane Katrina in recent years also challenged the security departments of international hotel brands to prepare and respond to significantly higher-impact events. Similarly, security (and risk) departments became the first port of call for senior hotel management when faced with events such as the conflict in Lebanon in 2006 and 2007 and newly emerging threats such as cyber-crime. It became clear to IHG during this period that the traditional, fragmented and reactive approach to hotel security was not able to provide the desired level of sophisticated protection against a rapidly more complex and ambiguous threat environment; nor was it well placed to meet the increasing expectations placed on hotels to prevent, prepare for, respond to and recover from major risk incidents. IHG therefore carried out a far-reaching analysis of its existing security capacity set primarily against the benchmark of the international terrorist threat and developed a strategy of threat-based security risk management. The consequences of this study were to have a profound effect on the company’s perception of both the security risks and the consequent mitigation strategy.

Tuesday, November 3, 2009

The law uses language similar to the language of risk management, but that language is interpreted in a different way. Understanding this difference is a key to unlocking controls that may reduce your residual risk. If you have ever picked up a legal textbook, talked to lawyers or been in court, you will have encountered language on the issue of risk that sounds vaguely familiar. There is an entire body of law, called ‘tort’, which sets out how much risk is acceptable and when you will be held liable if a risk materializes and causes damage to others. Tort law lays down that, in certain circumstances, you are deemed to owe a ‘duty of care’ to others. An employer’s duty to employees is an example. How much care you have to exercise is determined by an objective ‘standard of care’. If the standard of care you exercise is lower than a court would expect, and this contributes to someone sustaining a loss, then a court will hold you liable to pay compensation for the damage caused. Compensation for personal injury is the classic example.In order to determine the standard of care, courts are meant to look at the ‘magnitude of the risk’. The greater the risk the greater the standard of care will be. An example will help you to understand this. Take a zoo. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. If a visitor is attacked by a lion, serious injury or death is the likely result. On the other hand, an attack by a penguin is likely to result in the victim being more embarrassed than anything else. So the law requires that a higher standard of care be applied to lions than to penguins. So, if you think about it, this idea of setting a standard of care on the basis of the magnitude of the risk looks like part of an RM process, of establishing the ‘probability of an occurrence and possible consequences’. In setting this standard of care, the law takes into consideration the ‘costs of preventative measures’ and the ‘social value’ of the activity being engaged upon. Again, this is language on which you can place a meaning, as its sounds pretty much like ‘cost–benefit analysis’ and ‘defining your context’ or ‘setting strategic objectives’ in an RM process. [.............]

The secrets of success that emerged from the research we conducted are strongly reinforced by our experience in helping organizations of different types and sizes around the world manage risk successfully. They can be summarized as follows:

Before you start, gain top management commitment.

Get the organizational arrangements right.

Have a strong, personable programme manager who has the drive, skill andexperience to deal with business, people, and technical issues as well as to drivea company-wide programme.

Base your approach on a crystal-clear definition of risk that addresses what needs to be protected and both the magnitude and the probability of harm.

Measure the five determinants or indicators of risk that your insurancecompany considers when assessing the risk posed by drivers (criticality or valueat risk; status of controls; special circumstances, eg complexity or scale; experienceof incidents; and the business impact of incidents).

Ensure the risk management process is constructive rather than blameoriented (otherwise people will evade or sabotage the programme).

Ensure the risk management process is continuous rather than a series of oneoffevaluations (so improvements can be tracked over time).

Make risk management a personal responsibility of individual business‘owners’ of your ‘targets of evaluation’.

Keep evaluations simple, efficient, objective and business oriented.

Ensure the process is proportionate (when resources are limited it makessense to focus them where they will have the greatest payback rather thanspreading them evenly across everything).